CVE-2010-4528: Pidgin MSN Remote NULL Pointer Dereference

This bug was reported by Stu Tomlinson and it affects 2.7.6 through 2.7.8 versions of the popular Instant Messaging client application. The buggy code resides at libpurple/protocols/msn/directconn.c where the code dealing with direct connections of the MSN protocol is.

The above routine is used to process an MSN packet from a direct connection. If it’s dealing with an established direct connection (case ‘DC_STATE_ESTABLISHED’), it will check that the received header is non-zero and attempt to obtain part of the newly received data using msn_slpmsgpart_new_from_data() function located at libpurple/protocols/msn/slpmsg_part.c.

And it means that an MSN packet with header size less than 48 will result in returning NULL. Back to msn_dc_process_packet() we can see that the returned pointer ‘part’ will be passed to msn_slplink_process_msg() and msn_slpmsgpart_unref() without any checks being performed. Consequently, any access inside those two routines will result in NULL pointer dereference.
To fix this, the following patch was applied.